是否可以从 Google 的 id_token 中获取个人资料信息? [英] Is it possible to get profile information in an id_token from Google?
问题描述
使用 Google 的 OpenIDConnect 身份验证系统时,可以在 scope
参数中指定 email
或 profile
或两者.如果您请求 email
范围,email"和email_verified"声明将包含在作为成功 OAuth2 身份验证会话的一部分返回的 id_token
中.>
以下是来自 Google 文档的示例:
<块引用>ID 令牌的有效负载
ID 令牌是包含一组名称/值对的 JSON 对象.这是一个示例,格式设置为便于阅读:
{"iss":"accounts.google.com","at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q","email_verified":"真","sub":"10769150350006150715113082367","azp":"1234987819200.apps.googleusercontent.com","email":"jsmith@example.com","aud":"1234987819200.apps.googleusercontent.com","iat":1353601026,exp":1353604926,高清":example.com"}
然而,请求 profile
范围似乎对 id_token 的内容没有任何影响.为了检索配置文件信息,您必须发出一个 单独的 HTTP 请求到一个不同的端点(使用您刚收到的 access_token 进行身份验证)以获取看起来非常相似但包含更多信息的文档:
<代码>{"kind": "plus#personOpenIdConnect",性别":字符串,子":字符串,名称":字符串,given_name":字符串,family_name":字符串,个人资料":字符串,图片":字符串,电子邮件":字符串,"email_verified": "true",语言环境":字符串,高清":字符串}
理想情况下,我更愿意获取包含在 id_token JWT 中的配置文件信息(实际上只是 name
),而不必进行单独的调用.有什么方法可以指定其他字段并将它们作为声明包含在 id_token 中?如果不是,为什么 email
被特殊处理并在 id_token 中返回?
从今天开始,在令牌端点(即使用代码流")交换代码时,您将获得配置文件信息.
如何使用:将 profile
范围添加到您的请求中,并确保您使用的是符合 OpenID Connect 的端点(https://accounts.google.com/.well-known/openid-configuration).
在这些 ID 令牌响应中查找诸如 name
和 picture
之类的声明.和以前一样,如果 email
范围在您的请求中,ID 令牌将包含与电子邮件相关的声明.
当您刷新访问令牌时,与新访问令牌一起返回的 ID 令牌经常也会包含这些附加声明.您可以检查这些字段,如果存在(并且与您存储的内容不同),请更新您的用户的个人资料.这对于检测姓名或电子邮件地址更改很有用.
When using Google's OpenIDConnect authentication system, it's possible to specify email
or profile
or both in the scope
parameter. If you request the email
scope, the "email" and "email_verified" claims will be included in the id_token
that gets returned as part of a successful OAuth2 authentication session.
Here's an example from Google's documentation:
An ID token's payload
An ID token is a JSON object containing a set of name/value pairs. Here’s an example, formatted for readability:
{"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"1234987819200.apps.googleusercontent.com",
"email":"jsmith@example.com",
"aud":"1234987819200.apps.googleusercontent.com",
"iat":1353601026,
"exp":1353604926,
"hd":"example.com"
}
However, requesting the profile
scope seems to have no effect whatsoever on the contents of the id_token. In order to retrieve the profile information, you have to make a separate HTTP request to a distinct endpoint (authenticated with the access_token you just received) to get a document that looks very similar, but with more information:
{
"kind": "plus#personOpenIdConnect",
"gender": string,
"sub": string,
"name": string,
"given_name": string,
"family_name": string,
"profile": string,
"picture": string,
"email": string,
"email_verified": "true",
"locale": string,
"hd": string
}
Ideally, I would prefer to get the profile information (just name
, actually) included in the id_token JWT rather than having to make a separate call. Is there any way to specify additional fields and have them included as claims in the id_token? If not, why is email
treated specially and returned in the id_token?
Starting today you will get profile information when exchanging the code at the token endpoint (i.e. using the "code flow").
How to use: add the profile
scope to your request, and make sure you are using the OpenID Connect compliant endpoints (the ones listed in https://accounts.google.com/.well-known/openid-configuration).
Look for claims such as name
and picture
in these ID Token responses. As before, if the email
scope is in your request, the ID Token will contain email related claims.
When you refresh your access token, every so often the ID Token that is returned with the fresh access token will also contain these additional claims. You can check these fields, and if present (and different to what you have stored), update your user's profile. This can be useful to detect name or email address changes.
这篇关于是否可以从 Google 的 id_token 中获取个人资料信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!